site upgraded minimally to wordpress 2.1.2 from 2.1.1
Wordpress.org acknowledged the 2.1.1 release may have been tempered with for some of the downloads. It is urgent for sites running 2.1.1 to upgrade to the latest 2.1.2 release. As always, no much specifics was given.
I downloaded the latest 2.1.2 release and compared with the 2.1.1 release used to upgrade this site late last month. The changed PHP files are listed below:
./wp-admin/edit-pages.php
./wp-admin/edit.php
./wp-admin/custom-header.php
./wp-includes/functions.php
./wp-includes/js/tinymce/tiny_mce_config.php
./wp-includes/script-loader.php
./wp-includes/query.php
./wp-includes/version.php
./xmlrpc.php
I went ahead overwrote all these files under the live wordpress/ directory. To be sure, I also
- pruned any files under wp-includes/ that is missing in the latest 2.1.2 release. Mostly they are left-over from my minimal upgrade from wordpress 2.0.7 to wordpress 2.1.
- verified MD5 checksum of all files in the running wordpress/ directory, by comparing them with those from the 2.1.2 release directory.
It’s a little hairy to have your “trusted” source tempered like this . I wish digital signatures be provided for each wordpress.org release package. In my back of my mind, I always wonder why digital signature hasn’t caught on for many popular FOSS projects. Given the popularity of the GnuPG, it shouldn’t be too much of a stretch to expect release managers to sign release packages and such.
experts8 said,
March 14, 2007 @ 5:37 pm
Abel documented his findings on digg.com about how to tell whether your wordpress 2.1.1 release download is a compromised version or not.
His original post was in Chinese. Here is my lousy translation.
Mainly two files were modified if the 2.1.1 release was a compromised one.